Methods and apparatus, including computer program products, implementing and using techniques for exchanging certificates, including generating a first container object including one or more of a sender's certificate and a request for a recipient's certificate, wherein the first container object has a recognizable container type, and transmitting the first container object to a recipient's address. Upon receipt of the first container object, it can be determined the first container object includes one or more of a certificate and a request for a certificate of the recipient. A request for a certificate can be responded to by generating a second container object including a certificate of the recipient, extracting a return address from the first container object, and transmitting the second container object to the return address.
|
32. A computer-implemented method for receiving a certificate, the method comprising:
receiving, using a second application on a client, a container object, the container object having a recognizable container type that is associated with a first application on the client which is distinct from the second application, wherein the second application is an e-mail client application or a web browser application;
automatically recognizing, using, one or more processors and the second application, that the container type is associated with the first application;
recognizing, using the first application, that the container object may include a certificate of a sender of the container object; and
automatically determining, using the first application, if the container object contains a certificate of the sender.
9. A computer program product, tangibly stored on a machine-readable medium, for a client machine which associates a first application with a mime container type, so that subsequent to a second application on the client distinct from the first application receiving a container object having the mime container type, it is recognized that the container type is associated with the first application, comprising the first application's instructions to perform operations on the client comprising:
automatically obtaining the container object from the second application, wherein the second application is an e-mail client application or a web browser application;
recognizing that the container object may include a certificate of a sender of the container object; and
automatically determining if the container object contains a certificate of the sender.
36. A computer-implemented method for receiving a request for a certificate, the method comprising:
receiving, using a second application, a first container object, the first container object having a recognizable container type that is associated with a first application which is distinct from the second application, wherein the second application is an e-mail client application or a web browser application;
automatically recognizing, using one or more processors and the second application, the container type as associated with the first application
recognizing, using the first application, that the first container object may include a request for a certificate of a recipient of the container object;
automatically determining, using the first application, if the first container object includes a request for a certificate of the recipient; and
if a request is included in the first container object, then responding, using the first application, to the request.
12. A computer program product, tangibly stored on a machine-readable medium, for a machine which associates a first application with a mime container type, so that subsequent to a second application distinct from the first application receiving a container object having the mime container type, it is recognized that the mime container type is associated with the first application, wherein the second application is an e-mail client application or a web browser application, the computer program product comprising the first application's instructions to perform operations comprising:
automatically obtaining a first container object from the second application;
recognizing that the first container object may include a request for a certificate of a recipient of the container object;
automatically determining if the first container object includes a request for a certificate of the recipient; and
if a request is included in the first container object, then responding to the request.
1. A computer program product, tangibly stored on a machine-readable medium, comprising a first application's instructions to perform operations on a client comprising:
generating a first container object, the first container object having a recognizable container type that is associated with the first application, the first container object containing a sender's certificate or a request for a recipient's certificate, and where generating the first container object includes putting the certificate or request in the container object;
using a second application on the client distinct from the first application to transmit the first container object to a recipient's address, wherein the second application is an e-mail client application or a web browser application;
automatically obtaining a second container object from the second application, the second container object having been received by the second application and the second container object having the same recognizable container type as the first container object; and
automatically identifying and extracting one or more certificates from within the second container object.
25. A computer-implemented method, comprising:
generating, using a first application on a client, a first container object, wherein the first container object has a recognizable container type that is associated with the first application, the first container object containing a sender's certificate or a request for a recipient's certificate, and where generating the first container object includes putting the certificate or request in the container object;
transmitting, using a second application on the client which is distinct from the first application, the first container object to a recipient's address, wherein the second application is an e-mail client application or a web browser application;
receiving, using the second application, a second container object, wherein the second container object has the same recognizable container type;
automatically recognizing, using the second application, that the container type is associated with the first application; and
invoking, using one or more processors, the first application, the first application automatically identifying and extracting one or more certificates from within the second container object.
44. A system, comprising:
one or more processors configured to invoke instances of one or more applications;
a first instance of a first application operable to generate a first container object, the first container object having a recognizable container type that is associated with the first application, the first container object containing a sender's certificate or a request for a recipient's certificate, and where generating the first container object includes putting the certificate or request in the container object;
a first instance of a second application operable to transmit the first container object to a recipient's address, the second application being distinct from the first application, wherein the second application is an e-mail client application or a web browser application;
a second instance of the second application operable to receive the first container object and to automatically recognize the container type as associated with the first application; and
a second instance of the first application operable to:
automatically recognize that the first container object may include a request for a certificate of a recipient of the container object;
automatically determine if the first container object includes the certificate of the sender, and if so, then automatically identify and extract one or more certificates from within the first container object; and
automatically determine if the first container object includes the request for the certificate of the recipient, and if so, then respond to the request, generating a second container object of the same recognizable container type including the certificate of the recipient, and using the second instance of the second application to transmit the second container object to an address of the sender.
2. The computer program product of
prior to generating a first container object, receiving input from a sender specifying the recipient's address and specifying one or more of a certificate of the sender and a request for the recipient's certificate to include in the first container object.
3. The computer program product of
4. The computer program product of
5. The computer program product of
determining whether the sender has multiple certificates;
if the sender has multiple certificates, receiving input from the sender selecting one or more of the sender's multiple certificates;
retrieving the sender's selected certificates from a certificate database; and
including the sender's selected certificates in the first container object.
6. The computer program product of
receiving input from a sender specifying a return address for receiving the recipient's certificate and instructions for returning the recipient's certificate; and
including in the first container object the return address and instructions for returning the recipient's certificate.
7. The computer program product of
including in the first container object validation information to be used to validate the sender's certificate.
11. The computer program product of
accepting or rejecting the certificate using the validation information; and
if the certificate is accepted, extracting the certificate and storing the certificate.
13. The computer program product of
generating a second container object of the same mime container type including a certificate of the recipient;
extracting a return address from the first container object; and
using the second application to transmit the second container object to the return address.
14. The computer program product of
determining whether the recipient has multiple certificates;
if the recipient has multiple certificates, receiving input from the recipient selecting one or more of the recipient's multiple certificates;
retrieving the selected certificates from the certificate database; and
including the selected certificates in the second container object.
15. The computer program product of
including in the second container object validation information to be used to validate the certificate of the recipient.
16. The computer program product of
17. The computer program product of
transmitting the recipient's certificate back to the networked server by Hypertext Transfer Protocol.
18. The computer program product of
19. The computer program product of
20. The computer program product of
prior to generating a first container object, receiving input from a sender specifying the recipient's address and specifying one or more of a certificate of the sender and a request for the recipient's certificate to include in the first container object.
21. The computer program product of
determining whether the sender has multiple certificates;
if the sender has multiple certificates, receiving input from the sender selecting one or more of the sender's multiple certificates;
including instructions for retrieving the sender's selected certificates in the first container object.
22. The computer program product of
receiving input from a sender specifying a return address for receiving the recipient's certificate and instructions for returning the recipient's certificate; and
including in the first container object the return address and instructions for returning the recipient's certificate.
23. The computer program product of
including in the first container object instructions for validating the sender's certificate.
26. The method of
prior to generating a first container object, receiving input, using the first application, from a sender specifying the recipient's address and specifying one or more of a certificate of the sender and a request for the recipient's certificate to include in the first container object.
28. The method of
determining, using the first application, whether the sender has multiple certificates;
if the sender has multiple certificates, then receiving input, using the first application, from the sender selecting one or more of the sender's multiple certificates;
retrieving, using the first application, the sender's selected certificates from a certificate database; and
including, using the first application, the sender's selected certificates in the first container object.
29. The method of
receiving input, at the first application, from a sender specifying a return address for receiving the recipient's certificate and instructions for returning the recipient's certificate; and
including in the first container object the return address and instructions for returning the recipient's certificate.
30. The method of
including, using the first application, in the first container object validation information to be used to validate the sender's certificate.
33. The method of
35. The method of
accepting or rejecting, using the first application, the certificate using the validation information; and
if accepting the certificate, then extracting, using the first application, the certificate and storing the certificate.
37. The method of
generating, using the first application, a second container object including a certificate of the recipient;
extracting, using the first application, a return address from the first container object; and
transmitting, using the second application, the second container object to the return address.
38. The method of
39. The method of
determining, using the first application, whether the recipient has multiple certificates;
if the recipient has multiple certificates, then receiving input, using the first application, from the recipient selecting one or more of the recipient's multiple certificates;
retrieving, using the first application, the selected certificates from the certificate database; and
including, using the first application, the selected certificates in the second container object.
40. The method of
including, using the first application, in the second container object validation information to be used to validate the certificate of the recipient.
41. The method of
42. The method of
transmitting, using the second application, the recipient's certificate back to the networked server by Hypertext Transfer Protocol.
45. The system of
the container type is Forms Data Format;
the first application is operable to generate Forms Data Format containers and the second application is an e-mail client application;
the system includes a first computer and a second computer operating in communication with the first computer over the Internet;
the first instance of the first application is installed on the first computer;
the first instance of the e-mail client application is installed on the first computer;
the second instance of the first application is installed on the second computer; and
the second instance of the e-mail client application is installed on the second computer.
|
The present invention relates to automated public key certificate transfer.
Public key cryptography uses public-private key pairs for electronic signatures, electronic signature verification and encryption and decryption of data for security during electronic transmission. In simple terms, a public key owned by an individual receiving the data (the “recipient”) is used by a sender to encrypt the data. The recipient then uses the recipient's corresponding private key to decrypt the data. In order to encrypt the data, the sender must have access to the recipient's public key.
When electronically signing data, a sender signs the data using the sender's private key, an operation that can involve using the private key to encrypt a “cryptographic hash” of the data that is being signed, and then making available to the recipient the signed data and the encrypted hash (the “signature”). The recipient verifies the signature by computing a new hash over the data using the sender's public key, decrypting the encrypted hash of the signature and comparing the two hashes. If the hashes match, then the data integrity is proven.
Typically, a public key for another individual (the sender for example) is obtained by obtaining the individual's public key certificate directly or indirectly from that individual. A certificate is an electronic data object including a public key, and can be issued by a trusted third party, a certificate authority, that verifies the identity of the certificate holder. The certificate can also include the name of the certificate authority and the name of the individual or entity for whom the certificate is issued. The recipient of another individual's certificate should take steps to verify the trustworthiness or authenticity of the certificate, which can then be added to a personal certificate database for later use. The recipient of an electronically signed document can verify the identity of the sender (signer) by verifying the certificate of the sender.
Currently, there are a number of ways to obtain someone's certificate, some of which are covered by standards issued by the Internet Engineering Task Force public-key infrastructure (X.509) working group (IETF-PKIX). For instance, the certificate can be found in a searchable database on a server. Such a server would typically be provided and managed by a trusted party that undertakes to ensure the validity of the database's contents, including the certificates it contains.
A certificate owner can also manually include the certificate as an attachment to an e-mail message sent to a recipient. This requires the owner to place the certificate into a file that will be attached to the e-mail message, and the recipient must manually add the certificate to a personal certificate database for later use.
The present invention provides methods and apparatus, including computer program products, for exchanging certificates. In general, in one aspect, the invention features generating a first container object including one or more of a sender's certificate and a request for a recipient's certificate, wherein the first container object has a recognizable container type, and transmitting the first container object to a recipient's address.
Implementations of the invention can include one or more of the following. Prior to generating a first container object, input can be received from a sender specifying the recipient's address and specifying one or more of a certificate of the sender and a request for the recipient's certificate to include in the first container object. The first container object can be transmitted by electronic mail or Hypertext Transfer Protocol, and the first container object can be generated by a server. If the sender has multiple certificates, input can be received from the sender selecting one or more of the sender's multiple certificates, which selected certificates can be retrieved from a certificate database and included in the first container object. If the first container object includes a request for a recipient's certificate, input can be received from a sender specifying a return address for receiving the recipient's certificate and instructions for returning the recipient's certificate, and the return address and instructions for returning the recipient's certificate can be included in the first container object. If the first container object includes a sender's certificate, validation information to be used to validate the sender's certificate can be included in the first container object. The container type can be Forms Data Format.
In general, in another aspect, the invention features receiving a container object having a container type, recognizing the container type and that the container object may include a certificate of a sender of the container object, and determining if the container object contains a certificate of the sender.
Implementations of the invention can include one or more of the following. The container object can be received by electronic mail or Hypertext Transfer Protocol. The container type can be Forms Data Format. The container object can include a certificate and validation information and the certificate can be accepted or rejected using the validation information. If the certificate is accepted, the certificate can be extracted and stored.
In general, in another aspect, the invention features receiving a first container object having a container type, recognize the container type and that the first container object may include a request for a certificate of a recipient of the container object, determining if the first container object includes a request for a certificate of the recipient, and, if a request is included in the first container object, then responding to the request. A request can be responded to by generating a second container object including a certificate of the recipient, extracting a return address from the first container object, and transmitting the second container object to the return address. The first container object and the second container object can be a Forms Data Format container type. The first container object can be received from a networked server and can be responded to by transmitting the recipient's certificate back to the networked server by Hypertext Transfer Protocol.
In general, in another aspect, the invention features generating a first container object including a sender's certificate and a request for a recipient's certificate, wherein the first container object has a recognizable container type, transmitting the first container object to a recipient's address, and receiving a second container object generated in response to the request for the recipient's certificate, the second container object having the recognizable container type. It can be determined if the second container object includes the recipient's certificate and, if the second container object includes the recipient's certificate, then the recipient's certificate can be accepted or rejected.
In general, in another aspect, the invention features generating a first container object including one or more of instructions for retrieving a sender's certificate and instructions requesting a recipient's certificate, wherein the first container object has a recognizable container type, and transmitting the first container object to a recipient's address.
The invention can be implemented to realize one or more of the following advantages. A user can request a certificate from another user. The recipient of such a request can respond to the request by sending the recipient's certificate automatically, without the recipient manually exporting the certificate into a file or cutting and pasting the certificate into an e-mail message. A user can send a certificate over a computer network without having to export manually the certificate into a file or cut and paste the certificate into an e-mail message. The certificate transfer process can take place across multiple network elements of different kinds. A server can request a certificate from a specific user. A server can push certificates over a communications network to a user.
The details of one or more implementations of the invention are set forth in the accompanying drawings and the description below. Other features and advantages of the invention will become apparent from the description, the drawings, and the claims.
Like reference symbols in the various drawings indicate like elements.
As shown in
The container object generator 110, 175 operates to create container objects 125, shown in
A computer program running in a computer, such as computer program 105, can implement a method 200 for transmitting a sender's certificate, a request for a recipient's certificate, or both, as shown in
The computer program 105 also determines whether the sender desires to request a certificate of the recipient (225). This can be done by receiving input from the sender or by referring to a previously set user preference. For example, a preference can indicate that a certificate should be requested, if a certificate of the recipient does not appear in the sender's certificate database. Optionally, computer program 105 can prompt the sender to specify a return address to which the recipient's certificate is to be delivered (230), or alternatively, a default or previously set address can be used. The sender can also provide instructions for returning the recipient's certificate, such as specifying a protocol. A return address can be any convenient return path for the recipient's certificate, so long as the protocol is specified, the address is specified for that protocol and the protocol supports this type of operation. For example, the return address can be an e-mail address or a URL. The container object generator module 110 of the computer program 105 then generates a container object including the sender's certificate or certificates (if the sender selected to include a certificate), the sender's request for the recipient's certificate (if any), and the return address (if any) (235). The container object is then transmitted to the recipient's address (240).
As shown in
In another implementation, the validation information 152 can include contact information of a third party authority that can verify the authenticity of the sender's certificate received by the recipient. For example, the contact information can be a URL to a Web site where the recipient can validate the sender's certificate through a trusted third party, such as a certificate registry. Any other convenient means to validate the sender's certificate can be used.
Container object generator 175 generates a new container object including the recipient's certificate or certificates (530). A return address to which the certificate is to be delivered is extracted from the received container object (535). The new container object is transmitted to the return address (540).
In another implementation, a server generates a container object including a request for a certificate. For example, a Web server can generate a container object including a request for a certificate and a recipient's Web browser can execute computer program 105, 165 to process the container object. The request for a certificate can be processed as described above in reference to
For illustrative purposes, the following example describes an instance when a Web server is the sender of a request for a certificate. A bank providing online banking services allows the bank's customers to receive their banking statements electronically over HTTP from a Web server. For security purposes, the bank requires a customer's public key certificate to encrypt the customer's banking statements before transmitting them to the customer electronically. Accordingly, if the bank does not have a customer's certificate in a certificate database, the bank generates a container object including a request for a certificate. A customer's Web browser associates the container object with an application program, such as computer program 105, 165, to process the container object and respond to the request for a certificate included in the container object.
In another implementation, certificates can be downloaded from a server. For example, a company having a number of employees could maintain a certificate database containing the certificates of the employees on a Web server. Employees of the company could access a Web site and request certificates of their fellow employees to enable the employees to share encrypted documents. Upon receiving a request by an employee for a certificate, the Web server generates a container object including the certificate. The employee's Web browser associates the container object with computer program 105, 165 and processes the container object using the method 300 shown in
In one implementation, the container object is a Forms Data Format (FDF) file, which is described in “PDF Reference”, 2nd ed., Addison-Wesley Publishing Company, (2000) at pp. 460-468. The FDF file type provides a convenient tunneling protocol for passing data between users using e-mail, HTTP, or other network protocols. A Web browser of an operating system of a computer 100, 160 will generally be instructed to associate an application computer program 105, 165, for example, Adobe Acrobat™ 5.0 (“Acrobat”) by Adobe Systems Incorporated of San Jose, Calif., with the FDF file type or Multipurpose Internet Mail Extensions (MIME) type. The Web browser or operating system checks whether Acrobat is open, opens Acrobat if it is not open, and sends the FDF file to Acrobat for processing.
The invention can be implemented in digital electronic circuitry, or in computer hardware, firmware, software, or in combinations of them. Apparatus of the invention can be implemented in a computer program product tangibly embodied in a machine-readable storage device for execution by a programmable processor; and method steps of the invention can be performed by a programmable processor executing a program of instructions to perform functions of the invention by operating on input data and generating output. The invention can be implemented advantageously in one or more computer programs that are programmed on a programmable system including at least one programmable processor coupled to receive data and instructions from, and to transmit data and instructions to, a data storage system, at least one input device, and at least one output device. Each computer program can be implemented in a high-level procedural or object-oriented programming language, or in assembly or machine language if desired; and in any case, the language can be a compiled or interpreted language. Suitable processors include, by way of example, both general and special purpose microprocessors. Generally, a processor will receive instructions and data from a read-only memory and/or a random access memory. The essential elements of a computer are a processor for executing instructions and a memory. Generally, a computer will include one or more mass storage devices for storing data files; such devices include magnetic disks, such as internal hard disks and removable disks; magneto-optical disks; and optical disks. Storage devices suitable for tangibly embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices, such as EPROM, EEPROM, and flash memory devices; magnetic disks such as internal hard disks and removable disks; magneto-optical disks; and CD-ROM disks. Any of the foregoing can be supplemented by, or incorporated in, ASICs (application-specific integrated circuits).
To provide for interaction with a user, the invention can be implemented on a computer system having a display device such as a monitor or LCD screen for displaying information to the user and a keyboard and a pointing device such as a mouse or a trackball by which the user can provide input to the computer system. The computer system can be programmed to provide a graphical user interface through which computer programs interact with users.
The invention has been described in terms of particular embodiments. Other embodiments are within the scope of the following claims. For example, steps of the invention can be performed in a different order and still achieve desirable results. The computer program 105, 165 is not limited to Adobe Acroba™5.0. Also, computer program 105, 165 need not be a standalone program, but can be a plug-in installed in conjunction with another program. Similarly, a container object format different from the FDF file format can be used as the container object 125 and the new container object. Further, one or both of the computers 100, 160 can be one or more server or servers. Accordingly, the return address 150 may be any network address using any network protocol, in addition to HTTP server addresses and e-mail addresses.
Accordingly, other embodiments are within the scope of the following claims.
Patent | Priority | Assignee | Title |
10666443, | Oct 18 2016 | Red Hat, Inc | Continued verification and monitoring of application code in containerized execution environment |
10673639, | Sep 25 2013 | Wells Fargo Bank, N.A. | Dynamic object creation and certificate management |
11157626, | May 29 2019 | Northrop Grumman Systems Corporation | Bi-directional chain of trust network |
11249783, | May 23 2018 | International Business Machines Corporation | Intra application container direct communication protocol |
11522720, | Sep 25 2013 | Wells Fargo Bank, N.A. | Dynamic object creation and certificate management |
11588647, | Nov 08 2017 | SIEMENS GAMESA RENEWABLE ENERGY A S | Method and validation device for validating a digital certificate |
8977842, | Feb 05 2010 | CA, INC | Hypervisor enabled secure inter-container communications |
9344425, | Sep 25 2013 | WELLS FARGO BANK, N A | Dynamic object creation and certificate management |
9954688, | Sep 25 2013 | Wells Fargo Bank, N.A. | Dynamic object creation and certificate management |
Patent | Priority | Assignee | Title |
5572643, | Oct 19 1995 | INTERNETAD SYSTEMS LLC | Web browser with dynamic display of information objects during linking |
5809512, | Jul 28 1995 | Matsushita Electric Industrial Co., Ltd. | Information provider apparatus enabling selective playing of multimedia information by interactive input based on displayed hypertext information |
5838906, | Oct 17 1994 | EOLAS TECHNOLOGIES INC | Distributed hypermedia method for automatically invoking external application providing interaction and display of embedded objects within a hypermedia document |
6014688, | Apr 25 1997 | Cisco Technology, Inc | E-mail program capable of transmitting, opening and presenting a container having digital content using embedded executable software |
6052732, | Dec 20 1994 | Sun Microsystems, Inc. | System for dynamically loading object viewer from client or server |
6078951, | Nov 27 1996 | Intel Corporation | Method and apparatus for automating a software delivery system by locating, downloading, installing, and upgrading of viewer software |
6230189, | Dec 09 1997 | RICOH COMPANY,LTD | Apparatus and method for an HTTP server capable of connecting facsimile apparatuses and data terminals |
6324645, | Aug 11 1998 | DIGICERT, INC | Risk management for public key management infrastructure using digital certificates |
6397246, | Nov 13 1998 | GLOBALFOUNDRIES Inc | Method and system for processing document requests in a network system |
6542472, | Feb 04 1999 | PANASONIC COMMUNICATIONS CO , LTD | Communication apparatus |
6651084, | Nov 29 1999 | International Business Machines Corporation | System and method for adding plug-ins to a web browser |
6760752, | Jun 28 1999 | Zix Corporation | Secure transmission system |
6766305, | Mar 12 1999 | SCSK CORPORATION | Licensing system and method for freely distributed information |
7234114, | Mar 24 2003 | Microsoft Technology Licensing, LLC | Extensible object previewer in a shell browser |
7293099, | Sep 29 1998 | Oracle America, Inc | Heterogeneous network file access |
20020010746, | |||
20020124167, | |||
20030028768, | |||
20040243837, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Feb 04 2002 | PRAVETZ, JAMES D | Adobe Systems Incorporated | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 012586 | /0181 | |
Feb 06 2002 | Adobe Systems Incorporated | (assignment on the face of the patent) | / | |||
Oct 08 2018 | Adobe Systems Incorporated | Adobe Inc | CHANGE OF NAME SEE DOCUMENT FOR DETAILS | 048867 | /0882 |
Date | Maintenance Fee Events |
Oct 30 2013 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
Mar 16 2015 | ASPN: Payor Number Assigned. |
Mar 16 2015 | RMPN: Payer Number De-assigned. |
Nov 16 2017 | M1552: Payment of Maintenance Fee, 8th Year, Large Entity. |
Dec 01 2021 | M1553: Payment of Maintenance Fee, 12th Year, Large Entity. |
Date | Maintenance Schedule |
Jun 01 2013 | 4 years fee payment window open |
Dec 01 2013 | 6 months grace period start (w surcharge) |
Jun 01 2014 | patent expiry (for year 4) |
Jun 01 2016 | 2 years to revive unintentionally abandoned end. (for year 4) |
Jun 01 2017 | 8 years fee payment window open |
Dec 01 2017 | 6 months grace period start (w surcharge) |
Jun 01 2018 | patent expiry (for year 8) |
Jun 01 2020 | 2 years to revive unintentionally abandoned end. (for year 8) |
Jun 01 2021 | 12 years fee payment window open |
Dec 01 2021 | 6 months grace period start (w surcharge) |
Jun 01 2022 | patent expiry (for year 12) |
Jun 01 2024 | 2 years to revive unintentionally abandoned end. (for year 12) |